Multiprover interactive verification system

ABSTRACT

In a multiparty verification system, a prover and a verifier are coupled torocess respective outputs to provide a system output such as an identification verification. The prover is formed of plural units which share confidential information used to encrypt information carried by the prover. Communication between the prover units is prevented. The first prover unit encrypts the information based on additional information received from the verifier and transfers the encrypted information to the verifier. Subsequently, the verifier obtains from the second prover unit the shared confidential information required to decrypt a subset of the transmitted encrypted information.

BACKGROUND OF THE INVENTION

An identification scheme is a method by which a party A can prove to aparty B that he is indeed A. In 1976 Diffie and Hellman (DH) introducedthe idea of digital signatures. In 1978 Rivest, Shamir and Addleman(RSA) suggested an implementation of this idea based on the assumptionthat factoring large integers is a hard computational problem. However,there is no known proof that party B who is validating the identity of ausing digital signatures cannot turn around falsely, and prove that heis A to a third party C, even under the assumption that factoringintegers is a hard computational problem. Moreover, the cost of usingthe RSA digital signature scheme is about k modular multiplications eachof cost k² k digit numbers. The smallest value of k considered securetoday is k =200. This makes using RSA for identification in software tooslow, and in hardware and VLSI to expensive and special purpose.

In 1985 Goldwasser, Micali and Rackoff (GMR) presented the idea of"Zero-Knowledge Interactive Proof-Systems" which are interactiveprocedures by which a party A (the prover) can convince a party B (theverifier) that a theorem is true without telling B anything else. Onepossible theorem would be that A knows how to perform a hardcomputation. If the ability to perform this computation identifies A, aninteractive identification scheme immediately follows.

In 1986 Goldreich, Micali and Wigderson (GMW) showed that if one-wayfunctions exist then every language in nondeterministic polynomial time(NP) has a computationally zero-knowledge interactive proof system.Although theoretically quite exciting, using their result in practicewould be very inefficient.

In 1986 Shamir and Fiat (FS) suggested a particular zero-knowledgeidentification scheme based on the assumption that distinguishingquadratic residues from non-residues modulo composite integers is a hardproblem. A number of modular multiplication of many-digit numbers arerequired.

An example of a zero knowledge identification scheme based on the ideasof GMW and Blum is illustrated in FIG. 1. In that system, a prover Amust prove its identification to a verifier B. The prover A may, forexample, be a smart card having a processor thereon and the verifier Bmay be an automatic teller machine. Other forms of the prover A includecredit cards, access control cards and digital passports. The prover Acarries an identification set of information S_(i) which is unique toprover A and which is also known to verifier B. Knowledge of thatidentification set of information, however, is not considered sufficientto identify prover A, because it is generally available at least toverifiers and an eavesdropper from a prior identification may also havethat identification set. To prove its identity, prover A must prove thatit also has access to a solution subset S_(s) without actuallydisclosing that solution subset to either the verifier B or a potentialeavesdropper. This result is accomplished by means of a zero knowledgesystem.

The solution subset should have a predetermined mathematicalrelationship with the identification set and be readily verifiable as aproper solution, but it should not be readily determinable from theidentification set. For example, as illustrated in FIG. 1B, theidentification set could be the graph illustrated. The solution subsetcould be the listing of vertices which identify a Hamiltonian cycle;that is, a cycle such as shown in bold lines which intersects eachvertex without overlap. The graph of FIG. 1B is very simple for purposesof illustration. With more complex graphs, a Hamiltonian cycle may benearly impossible to determine from the full graph. On the other hand,by starting with a Hamiltonian cycle, one can develop a complex graphwhich includes the cycle so that prover A could be provided with boththe complex graph as the identification set S_(i) and the Hamiltoniancycle as the solution subset S_(s). The cycle and graph would begenerated by the prover itself or by a trusted center.

Given that prover A has access to both the identification set and thesolution subset, and that the verifier B only has access to theidentification set, the task remains for prover A to prove to theverifier B that it in fact has access to the solution set withoutactually reealing the solution set to verifier B. To that end, theprover has a permutator π, an encryptor E and a decryptor. Based on arandom sequence, the vertices of the identification set graph can bepermutated for successive message transmissions to the verifier. Thus,the permutated graph S.sub.πi shown in FIG. 1B is the initialidentification graph with the vertices renumbered according to somerandom process. Prover A then encrypts the individual elements of thepermutated identification set of information for transfer as S_(i)πE tothe verifier B. Also, the permutation π is encrypted for transfer toverifier B. As illustrated in FIG. 1C, this encryption is analagous tothe placement of each vertex of the permutated identification set in arespective envelope for transfer to verifier B. Such a transfer is acommitment by prover A to the permutated graph as well as to thepermutation which allows for reconstruction of the original graph S_(i); however, the encryption "envelopes" cannot then be opened by theverifier B.

Next, the verifier randomly selects, for each of successive encryptedpermutated graphs, either the entire identification set or the solutionsubset. In response to that random selection, the prover A either opensall encryption envelopes or only those envelopes corresponding to thesolution subset. If all envelopes are opened by transferring theoriginal nonencrypted permutated identification set S.sub.πi and thenonencrypted permutation π, the verifier B can reconstruct S_(i) andcompare the reconstructed set to the already available identificationset S_(i). This proves that A had in fact committed to a permutation ofthe identification set. As already noted, if this were the only test,there would be no verification because others might have access to thatidentification set. However, the verifier may at random select thesolution subset. In that case, the prover A returns only thenonencrypted permutated vertices of the Hamiltonian cycle. For example,the Hamiltonian cycle illustrated in FIG. 1B would be returned to theverifier as follows: (1,2), (2,3), (7,3), (7,4), (4,5), (5,6) and (1,6).Because the information is permutated and the permutation π is not inthis case available to B, B cannot make a correspondence between thepermutated Hamiltonian cycle and the original nonpermutated cycle S_(i)and thus gain knowledge of the Hamiltonian cycle corresponding to S_(i).However, B could step through the vertices to confirm that thepermutated vertices in fact create a cycle naming each of the sevenvertices without overlap.

For a full commitment by A, the prover A must encrypt the information ina manner which cannot readily be decrypted by the verifier or aneavesdropper; yet the encryption method must allow the verifier toreadily confirm that, when provided with both the encrypted informationand the nonencrypted information, one is the true encryption of theother. For example, in using for encryption the RSA function m³ mod nwhere m is the transferred message and n is a multidigit product of twoprimes, the verifier could not readily decrypt the information. However,with the nonencrypted information later provided with selection of allvertices and the permutation, the verifier could itself easily encryptthe information and compare it to the encrypted information to which theprover had already committed itself.

Thus, because the prover A had committed to the full set of vertices, itmust know both the identification set and the solution subset in orderto be correct with either selection made by the verifier. For any onetransfer of a permutated graph, the prover A could transfer either theproper graph with an incorrect solution or the proper solution with anincorrect graph. However, it could not transfer both a correct graph anda correct a cycle without access to the solution. With one transfer ofthe permutated graph, the verifier could only verify to fifty percentprobability; however, with successive transfers of the permutation graphand random selections, the verifiction becomes more and more certain. Ifthe prover does not have both the identification set and the solutionset, the verifier would soon select an incorrect full graph or anincorrect cycle from the prover.

Previous methods of commitment such as that just described are based onthe assumption that one-way functions, such as the RSA function, exist.This assumption has not yet been proven. Further, the many modularmultiplications of large digit numbers required for secure use of theRSA and other functions make those functions too slow for software andtoo expensive for hardware. Further, the approaches lose security whenperformed in parallel, that is, when multiple permutated graphs aretransferred to the verifier in parallel.

DISCLOSURE OF THE INVENTION

An object of the present invention is to provide a verification systemin which a computationally less complex encryption approach may beutilized. Complex one-way functions are not necessary where encryptionis based on random (including pseudorandom) information, a so-calledone-time-pad encryption scheme. Thus, in a system embodying the presentinvention the identification set may be encrypted utilizing randominformation generated at the prover. However, with such encryption, theverifier is no able to verify the decryption without the randominformation utilized in the encryption, and that can only be obtainedfrom the prover. If the verifier then looked to the prover of FIG. 1Afor that information, the prover would have the opportunity to providefalse information depending on the verifier's selection. The falseinformation would be other than that with which the identification sethad been encrypted, and the prover could guarantee the appearance of acorrect solution to the verifier if the verifier selected the permutatedsolution set. Thus the system would fail.

In accordance with the present invention, to overcome the aboveshortcoming, the prover comprises first and second prover units whichshare confidential prover encryption information. The first proverinitially encrypts the identification set with that information, and thesecond prover later provides to the verifier the prover encryptioninformation required for decryption. To make the second prover unitignorant of the actual information which had been transferred by thefirst prover unit, the encryption is also based on verifier encryptioninformation received from the verifier, and communications between thetwo prover units during the verification are limited to preventcheating. The verifier encryption information is held confidential fromthe second prover unit though it may be read by an eavesdropper. Inproviding the prover encryption information required for decryption, thesecond prover unit lacks the verifier encryption information required tofool the verifier by modifying the encryption information. Thus, in amethod embodying the present invention, the first prover unit commitsitself to encrypted identification information based on encryptioninformation shared by the first and second prover units, and the secondprover unit provides the information required for decryption.Preferably, the confidential verifier information and the confidentialprover informaion on which the encryption is based on both random.

In a more specific implementation of the present invention, afterreceipt of encrypted information, the verifier selects a subset of theencrypted information, such as the full identification set or a solutionsubset, for decryption. The encryption information provided to theverifier by the second prover unit corresponds to the selected subset ofthe encrypted information exclusively. Preferably, the selectioninformation is chosen at random.

Preferably, both the prover and verifier have access to anidentification set of information, and the prover alone has access tothe identity of a solution subset of the identification set, thesolution subset having a predetermined mathematical relationship withthe identification set. The solution subset is readily verifiable as aproper solution but not readily determinable from the identification setof information. In a plurality of cycles with respect to identificationsets permutated by the first prover unit, transfers of encryptedinformation include each permutated identification set. The selectioninformation selects information including the full identification set orthe solution subset, exclusively.

In one approach, the solution subset is a solution to the knapsackproblem where the numbers of the solution subset sum to a target number.In a very specific implementation, encrypted permutated informationbased on the following is transferred by the first prover unit:

A={v_(i), 1≦i≦n} where v_(i) is chosen at random in ##EQU1##

B={w_(i), 1≦i≦n}, the identification set

C={s_(i), 1≦i≦n} where s_(i) =v_(i) +w_(i) for all 1≦i≦n

D=Σ_(j)εJ v_(j)

E=J, the solution subset

F=T+Σ_(j)εJ v_(j), where T is the target

The selection information selects (A,B,C), (A,D,E), or (C,E,F) withequal probability.

In another approach, the prover and verifier both have access to a graphwhich serves as the identification set, and the prover alone has accessto a Hamiltonian cycle within the graph which serves as the solutionset. Both the knapsack problem and the Hamiltonian cycle problem arewell-known hard problems which are hard to invert yet easy to initiallycompute. Their use is particularly advantageous in the presenttwo-prover approach because they allow for a simple protocol between theprover and verifier. The knapsack problem is the most preferred due tothe ease with which specific hard instances can be generated.

The present invention is not restricted to identification schemes. Theidentification system is one example of a system in which two processorscan together determine an output based on information available to onlyone of the processors and in which the one processor need not discloseits confidential information to assure the other processor of thevalidity of the output. More specifically, the Hamiltonian cycle andknapsack problem approaches described above are approaches in which oneprocessor has access both to a function F(x) and the confidentialinformaton x and in which the second processor has access only to F(x),F(x) being a hard problem which is readily computed but which isdifficult to invert. The successful identification, the output of thesystem, is based on x, and the second processor is assured of thevalidity of the identification, but the first processor need notdisclose x to the second processor.

Systems embodying the present invention may include more than twoprocessors and more than two prover units per processor. Also, eachprocessor may comprise plural units such that each processor may assumethe roles of both prover and verifier.

A system embodying the present invention has the advantage of requiringno unproven assumptions to assure a zero knowledge system. Further, theencryption can be performed with a simple addition and can thus bereadily implemented in software or inexpensive hardware. Also, thesystem is fully parallelizable without any decrease in securityproperties.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A, 1B, 1C illustrate a prior art identification system.

FIG. 2 illustrates an identification system embodying the presentinvention.

PREFERRED EMBODIMENTS OF THE INVENTION

As illustrated in FIG. 2, the single prover of the prior art is replacedby two prover units P1 and P2. In its simplest form, each prover unitwould be a smart card which carries a microprocessor. However, theprover may be a single card having separate units mounted thereon in amanner which limits communications therebetween. During a verification,the verifier V must guarantee that there is no communication between thetwo prover units P1 and P2 in order to be convinced of the validity ofthe identification. Communication can be prevented by physical distanceand active jamming of any communication channel between the two units.

The dual prover units allow for a simplification of the commitmentprocess for use in any one-way function identification technique such asthat described above with respect to the Hamiltonian cycle. Prover P1commits to the information by encrypting that information based on aconfidential, preferably random, verifier encryption signal c from theverifier and its own confidential, preferably random, prover encryptionsignal r. Utilizing the random information r, the encryption can becomputationally very simple. Subsequently, to open the encryptionenvelopes of the full set of transmitted information or a subset thereofselected by the random signal t, prove P2 transfers the proverencryption information required for decryption by the verifier.

Say the message m to which P1 is to commit consists of 1 bit, i.e.mε{(0,1}. Let P1 and P2 share a secret random tape of r_(i) each ofwhich was chosen a priori at random from {0,1,2}. Let σ₀ (r_(i)) =r_(i)and σ₁ (0)=0,σ₁ (1)=2,σ₁ (2)=1. To commit to ith bit m:

1. V sends c chosen at random in {0,1} to P1.

2. P1 sends σ_(c) (r_(i))+m mod 3 to V.

To reveal ith bit m to V:

3. P2 sends r_(i) to V.

To commit to longer messages m, simply commit bit-by-bit.

In the complete protocol, using the Hamiltonian cycle approach describedin the background, the prover P1 generates successive permutations ofthe identification graph. Based on the random information c receivedfrom the verifier V, prover P1 selects either the function σ₀ or σ₁ forencryption. It then encrypts the permutated information using thefunction

    σ.sub.c (r.sub.i)+m mod 3.

That encrypted permutated information is transferred to the verifier asthe prover's commitment. Next, the verifier randomly selects either thefull graph or the Hamiltonian cycle with the signal t. Prover P2operates in parallel with prover P1 and thus can generate the samerandom numbers r and identify the solution subset which in this case isthe Hamiltonian cycle. P1 returns the requested prover encryptioninformation r to the verifier. Where the full graph is requested, theencryption information required to decrypt the permutation is alsoreturned. Because V is now able to perform the decryption itself, it canreadily verify that the decrypted information corresponds to theoriginally committed encrypted information and can also confirm that thedecrypted information is either the identification set S_(i) or apermutated cycle which includes every vertex of the graph withoutoverlap. Therefore verification is complete.

A preferred hard problem which may be used as an alternative to theHamiltonian cycle is the so-called knapsack problem. The knapsackproblem is based on the assumption that, given a large set of largenumbers, determination of a subset of numbers which sum to a targetnumber is not possible. By starting with the subset, one can readilygenerate a larger set, both of which can be stored on the prover.However, given the larger set, determination of the subset is extremelydifficult.

We describe the automatic teller machine application. The trusted center(the bank in this case) issues a pair of cards for every customer A tobe identified. One card P1 has an instance of the knapsack problem onit. Both cards P1 and P2 have a shared pool of random bits. The instanceof knapsack problem is a tuple (w_(i), 1≦i≦n,T,JC{1, . . . , n}), suchthat Σ_(j)εJ w_(j) =T. J is the solution subset. The bank stores a tablehaving customer A's name along with (w_(i), 1≦i ≦n,T), theidentification set.

When A comes to the bank machine, the two cards are inserted into themachine and the following protocol is executed. Steps 1-3 are executedin parallel k times where k is a security parameter.

1. P1 permutes the w_(i) 's at random and accordingly the set J. Now, P1commits to secrets A,B,C,D,E,F where

A={v_(i), 1≦i≦n} where v_(i) is chosen at random in ##EQU2## B={w_(i),1≦i≦n}, the identification set C={s_(i), 1≦i≦n} where s_(i) =v_(i)+w_(i) for all 1≦i≦n

D=Σ_(j)εJ v_(j)

E=J, the solution subset

F=T+Σ_(j)εJ v_(j), where T is the target

2. V sends to to P2 whre tε{1,2,3} at random.

3. If t=1, P2 reveals secrets A, B and C to V.

If t=2, P2 reveals secrets A, D and E to V.

If t=3, P2 reveals secrets C, E and F to V.

4. If in every execution of the above protocol; when t=1, s_(i) =v_(i)+w_(i) for all 1≦i≦n; when t=2, Σ_(j)εE v_(i) =D; and when t=3, Σ_(j)εEs_(i) =F, then Bank accepts customer A as valid.

For all customers C other than A, the probability that C succeeds inconvincing the Bank that he is A is less than or equal to (1/3)^(k).

Further discussion of the model on which the invention is based andproofs related thereto follows.

1.1 New Model

We extend the definition of an interactive proof for language L asfollows: instead of one prover attempting to convince a verifier that x,the input string, is in L, our prover consists of two separate agents(or rather two provers) who jointly attempt to convince a verifier thatx is in L. The two provers can cooperate and communicate between them todecide on a common optimal strategy before the interaction with theverifier starts. But, once they start to interact with the verifier,they can no longer send each other messages or see the messagesexchanged between the verifier and the "other prover". As in [GMR] theverifier is probabilistic polynomial time, and can exchange upto apolynomial number of messages with either one of the two provers (withno restriction on interleaving the exchanged messages) before decidingto accept or reject string x.¹

We restrict the verifier to send messages to the prover in apredetrmined order. It can be shown that this is equivalent with respectto language recognition, to a model in which the verifier is free totalk to the provers in any order he wishes. Moreover, the verifier canbe forced to send messages to the provers in a predetermined order byusing a simple password scheme. Thus, we can work in the easier to dealwith synchronous model completely without loss of generality.

The main novelty of our model is that the verifier can "check" itsinteractions with the provers "against each other". One may thick ofthis as the process of checking the alibi of two suspects of a crime(who have worked long and hard to prepare a joint alibi), where thesuspects are the provers and the verifier is the interrogator. Theinterrogators conviction that the alibi is valid, stems from hisconviction that once the interrogation starts the suspects can not talkto each other as they are kept in separate rooms, and since they can notanticipate the randomized questions he may ask them, he can trust hisfindings (i.e receiving a correct proof of the proposition at hand).

Applying this model in a cryptographic scenario, one may think of a bankcustomer holding two bank-cards rather than one, attempting to prove itsidentity to the bank machine. The machine makes sure that once the twocards are inserted they can no longer communicate with each other. Inthis scenario, the provers correspond to the two cards, and the verifierto to bank machine.

1.2 Results 1.2.1 Perfect Zero Knowledge Multi-Prover Interactive Proofs

We show, that in our extended model all NP languages have a perfectzero-knowledge interactive proof-system, making no intractabilityassumptions.

The protocol for NP languages proposed, requires the two provers toshare either a polynomially long random pad or a function which they cancompute but the polynomially bounded verifier can not. It is well knownthat such functions exist by counting arguments. Most of the burden ofthe proof lies on one predetermined prover. In fact, the "other" proversole function is to periodically output segments of the random pad heshares with the "primary prover". The protocol is constant (two) round.

Differently then in the case of the graph non-isomorphism and quadraticnon-residousity proof-systems in [GMR], [GMW], parallel executions ofthe protocol remain perfect zero-knowledge.

More generally, we show that any language which can be recognized in ourextended model, can be recognized in perfect zero-knowledge making nointractability assumptions.

Our construction does not assume that the verifier is polynomial timebounded. The assumption that there is no communication between the twoprovers while interacting with the verifier, must be made in order forthe verifier to believe the validity of the proofs. It need not be madeto show that the interaction is perfect zero-knowledge.

1.3 Language Recognition Power of New Model

It is interesting to consider what is the power of this new model solelywith respect to language recognition. Clearly, NP IP which in turn is asubset of languages accepts by our extended model. We show that addingmore provers than two, adds no more power to the model.

We also show for every language possessing a two prover interactiveproof there exists another two prover interactive proof which achievescompleteness, i.e. the verifier will always accept strings which are inthe language.

Fortnow, Rompel and Sipser [FRS] have shown that two provers can acceptany language in IP (one-prover model with polynomial number of rounds)using only a constant number of rounds. They also show that threeprovers can accept in a constant number of rounds all languagesrecognized by a multi prover model.

Feige, Shamir and Tennenholtz [FST] look at a model they call thek-noisy oracle model, in which the verifier is interacting with koracles all of which but one may be dishonest. Based on the assumptionthat one of the oracles is trusted, they show that P-space langauagescan be recognized in a 2-noisy oracle model.

1.4 Open Problem

Whether the two-prover proof-system is actually more powerful withrespect to language recognition than the original one-prover interactiveproof-system of [GMR], [B], remains an open problem.

Even the simplest case of two-round two-prover proof-system in which theverifier sends the result of his coin tosses first (some to prover 1 andsome to prover 2), receives responses (from both provers) on thesubsequent round, and then evaluates a polynomial time predicate todecide whether to accept or reject, is not known to lie in PSPACE.Hastad and Mansour [HM] show that resolving this question in thepositive will imply that NP≠poly(log)-SPACE.

2. Definitions Definition 1

Let P₁, P₂, . . . , P_(k) be Turing machines which are computationallyunbounded and V be a probabilistic polynomial time Turning machine. Allmachines have a read-only input tape, a work tape and a random tape. Inaddition, P₁, P₂, . . . , P_(i) share an infinite read-only random tapeof 0's and 1's. Every P_(i) has one write-only communication tape onwhich it writes messages for V. V has k write-only communication tapes.On communication tape i, V writes messages to P_(i). We call (P₁, P₂, .. . , P_(k), V) a k-prover interactive protocol.

Remark 1

Fortnow, Rompel and Sipser [FRS] remark that the above can be modeled asa probabilistic polynomial time turning machine V and an oracle p suchthat queries to p are prefixed always by 1≦i≦k, corresponding to whetherthe query is directed to prover i. Each query contains the history ofthe communication thus far.

We note that although this memoryless formulation is equivalent to thei-prover formulation with respect to language recognition, it is notequivalent when zero-knowledge is considered. In this latter case theprovers must be able to check that the history is indeed what is claimedby the verifier, before answering the next query. Since the verifier isnot untrusted, the provers can not be memoryless.

Definition 2

Let L {0,1}*, We say that L has a k-prover interactive proof-system(IPS) if there exists an interactive BPP machine V such that:

1 P₁, P₂, . . . , P_(k) such that (P₁, P₂, . . . , P_(k), V) is ak-prover interactive protocol and xεL, prob (V accepts input x)≧1/2.

1 P₁, P₂, . . . , P_(k) such that (P₁, P₂, . . . , P_(k), V) is ak-prover interactive protocol, prob (V accepts input x)≧1/3.

Remark 2

if L has an k-prover interactive proof-system and condition (1) holdsfor a particular P₁ P₂, . . . , P_(k), then we say that (₁, P₂, P_(k),V) is a k-prover interactive proof-system for L.

Remark 3

if L has an two-prover interactive proof-system, then L has a two-proverinteractive proof-systems (P₁, P₂, V) such that for xεL, prob (V acceptsx)=1. See Theorem 5.

Remark 4

For convenience, without loss of generality, we assume that everyverifier V outputs his coin tosses at the end of his interaction withthe Pi's.

Definition 3

Let IPk={L which have k-prover interactive proof-system}.

The following definition of perfect zero-knowledge is identical to theGoldwasser-Micali-Rackoff [GMR] definition of perfect zero-knowledge inthe 1-prover model.

Definition 4

Let (P₁, P₂, . . . , P_(i), V) be a k-prover interactive proof-systemfor L. Let View P₁, P₂, . . . , P_(k), V) (x) denote the verifier's viewduring the protocol (namely the sequence of messages exchanged betweenthe verifier and the two provers including the last message of theverifier which contains his coin tosses--see remark 4 above). This is aprobability space taken over the coin tosses of V and the joint randomtape of P₁, P₂, . . ., P_(k). We say that k-prover interactive protocol(P₁, P₂, . . . , P_(k), V) is perfect zero-knowledge for V if thereexists a BPP machine M such that M(x)=View P.sbsb.1.sub.,P.sbsb.2.sub.,. . . , V (x). We say that L has a k-prover perfect zero-knowledgeproof-system if there exists provers P₁, P₂, . . . , P_(i) such that forall BPP verifiers V, there exists a probabilistic Turning machine M suchthat for all x in L, M(x)=View_(P).sbsb.1.sub.,.sbsb.P₂.sub., . . . ,P.sbsb.k.sub.,_(V) (x) and M(x) terminates in expected polynomial time.

3. Statement of our Results Theorem 1

Every LεNP has a two-prover perfect zero-knowledge interactiveproof-system.

Proposition 1

parallel executions of the perfect zero-knowledge interactiveproof-system for NP remain perfect zero-knowledge.

Theorem 2

Every LεIP₂ has a perfect zero-knowledge interactive proof-system.

Theorem 3

Any two party oblivious function computation can be done in this model.

Theorem 4

For all k≧2, if LεIP_(k) then LεIP₂.

Theorem 5

If LεIP₂ then P₁, P₂, V such that (₁, P₂, V) is a two-prover interactiveproof-system for L and for all x εL, Prob(V accepts x)=1.

3. Key Ideas

A general primitive used in complexity based cryptography (and inparticular in the proof that NP is in zero-knowledge under theassumption that one-way functions exist) is the ability to encrypt a bitso that the decryption is unique. In our model, encryption is replacedby a commitment protocol to a bit such that the bit is equally likely tobe 0 or 1 (information theoretically), and yet the probability that adifferent bit can be decommited (i.e. revealed) is less than 1/2 (thisfraction can then be made arbitrarily small using standard techniques).The idea is that one prover is used to commit the bit, and the other toreveal it.

Another important primitive is that of oblivious circuit evaluation.This primitive allows two parties, A and B, possessing secrets i and jrespectively, to compute some agred upon function f(i,j) in such a waythat A learns nothing, and B learns only f(i,j). the originalimplementation of this protocol, due to Yao [Yao86a], requires theexistence of trapdoor functions. In fact, oblivious circuit evaluationcan not be implemented without cryptographic assumptions in the standardtwo party scenario. However, we show that oblivious circuit evaluationbetween verifier and 1 prover can be done without assumptions in thetwo-prover model. The proof relies on a result of [K] reducing obliviouscircuit evaluation to a simpler protocol, known as 1-out-of-2 oblivioustransfer, which was reduced by [C] to a still simpler protocol, known asoblivious transfer. This last protocol is implemented in the two-provermodel.

4 Proof of Theorem 1: How to Commit Bits

We first show that every language in NP has a perfect zero-knowledgetwo-prover interactive proof-system.

Theorem 1

Every L in NP has a two-prover perfect zero-knowledge interactiveproof-system

Idea of Proof

Let (P₁, P₂, V) denote a multi-prover protocol which receives as inputthe graph G=(V,E). Let P₁ and P₂ share an infinite random pad R suchthat R=r₁ r₂. . . where r_(i) ε{0,1,2]². Let n=|V|.

Let us quickly review² one of the, by now standard proofs ([GMW1], [B1])that NP is in zero-knowledge under the assumption that one-way functionsexist.

Review

The prover is attempting to convince the verifier that G is Hamiltonian.

The prover publicizes an probabilistic encryption algorithm E (as in[GM], [Yao82a]⁴) The prover and verifier repeat the following protocol ntimes:

STEP 1: prover randomly permutes the vertices of graph G (usingpermutation π) to obtain graph G and sends to verifier

• an n×n matrix α={a_(ij) } where α_(ij) in E(b_(ij)) and b_(ij) =1 ifedge ij is present in the G and 0 otherwise.

• βεE(π), i.e an encryption fo π.

STEP 2: verifier chooses at random coin ε{0,1}, and sends coin to theprover.

STEP 3: If coin=1, prover decrypts β and α_(ij) for all i,j≦n and sendsdecryptions to verifier. If coin=0, prover decrypts those α_(ij) suchthat edge ij is in the Hamiltonian path in G.

STEP 4: If prover is unable to preform step 3 correctly, verifierrejects. Otherwise, after n iterations of steps 1 through 4, verifieraccept.

End of Review

Returning to the two prover model, prover P₁ replaces the prover in step1 of above protocol and prover P₂ replaces the prover in step 2 of aboveprotocol. Algorithm E is no longer a probabilistic encryption algorithmbased on the existence of one-way functions as in [GM] or ]Yao86a], butrather a commitment algorithm computed as follows.

Let σ₀, σ₁ : {0,1,2}->{0,1,2} be such that

(1) for all i, σ_(o) (i)=i,

(2) σ₁ (0)=0, σ₁ (1)=2 and σ₁ (2)=1.

Let m_(k) be the k-th bit to be committed to in the protocol.

To commit m_(k) :

• V chooses at random c_(k) ε{0,1} and sends c_(k) to P₁.

• P₁ sets E(c_(k), m_(k))=σ_(c).sbsp.k (r_(k))+m_(k) mod 3, where r_(k)ε{0,1,2} is read off the random tap P₁ shares with P₂, and sendsE(c_(k), m_(k)) to V.

To reveal the k-th bit committed in the protocol, V and P₂ engage in thefollowing protocol.

To reveal the k-th bit:

• V sends k to P₂.

• P₂ sends V the string r_(k).

• V computes σc_(k) (r_(k)) and sets m_(k) to (E(c_(k), m_(k))-σc_(k)(r_(k))) mod 3.

Note: P₂ does not know c_(k) and has never seen E(c_(k), m_(k)).

We prove two properties of the above pair of commit-reveal protocols.First since P₂ sees neither E(c_(k), m_(k)) nor c_(k), but knows exactlywhat P₁ 's program is, the probability that P₂ successfully reveals abit value different than the one P₁ committed to is less than 1/2.

Claim 1.1

rε{0,1,2}, mε{0,1},

    prob(r is s.t. E(c,r,m)=E(c,r,m))≦1/2

Comment

To decrease the probability of successfuly cheating from 1/2 to 1/2^(n),P₁ preform n commits to m_(k) and P₂ preforms n reveals correspondingly.Knowing k, E(c_(k), m_(k)) and c_(k) gives the verifier no advantage inguessing m_(k).

Claim 1.2

c ε{0,1},

    prob(m=0|E(c,r,m))=prob(m=1|E(c,r,m))=1/2

Proving now that the altered multi-prover Hamiltonian cycle protocolconstitutes a two-prover interactive proof for the Hamiltonian cycleproblem follows directly from [B1]'s proof and claim 1.

Proving that the protocol is perfect-zero-knowledge is more subtle.

To this end, we exhibit a probabilistic Turing machine M such that

• for Hamiltonian graphs G, M(G) terminates in expected polynomial time.

• for all V such that (₁, P₂, V) is a two-prover protocol, and for allHamiltonian graphs G, M(G)=View_(P).sbsb.1.sub.,_(P).sbsb.2.sub., _(V).(where P₁, P₂ are honest provers as specified above.)

WLOG let the number of coin tosses of verifier and prover on input G=(V,E) where |V|=n be be bounded by polynomial Q(n).

SIMULATOR M program: (tailored after steps 1-4 above in [B1]'s proof)STEP 1

M chooses ρε{0,1}^(Q)(n) at random for the coin tosses to be used by V.and sets R=r₁ r₂. . . r_(k). . . , |R|ε{0,1}^(Q)(n) where r_(k) ε{0,1,2}are chosen at random. (V(ρ,G) will denote the program V on input G andcoin tosses ρ.) M picks a random permutation π of the vertices of graphG to obtain the permuted graph G and an n×n random binary matrix MAT.Next, M simulates a commitment protocol to π and MAT as follows. Tosimulate a commitment protocol to the k-th bit m: M runs V(ρ, G) toobtain c, computes E(c,m)=ρ_(ck) (r_(k))+m mod 3 for r_(k) εR, andwrites E(c,m) on V(ρ,G)'s tape.

STEP 2

M continues running V(ρ,G) to obtain coin.

STEP 3

if coin=1, M reveals π (as P₂ would do in real protocol) by writing theappropriate r εR on V(ρ,G)'s) tape. Revealing MAT to V is more involved,as follows. Let MAT={m_(ij) |1≦i,j≦n} and α=E(c,m_(ij))=ρ_(c) (r)+m_(ij)mod 3 where r εR is the r used in step 1 to commit m_(ij). Let r be suchthat α=ρ_(c) (r)+m_(ij) mod 3. Note that such r always exists and sinceM knows c (differently from P₂ in the real protocol) M can compute it.Set ##EQU3##

Then M reveals r to V(ρ,G).

If coin=0, M selects n ij entries at random in MAT such that no twoentries are in the same column or in the same row. Set ##EQU4## Whereagain r ε R from step 1 such that α=E(c,m_(ij))=ρ_(c) (r)+m_(ij) mod 3,and r is such that α_(ij) =ρ_(c) (r)+m_(ij) mod 3. Next, M reveals r toV(ρ,G). Finally, M sets R to be R with the values of r substituted for rused to commit the matrix MAT.

STEP 4

M runs V to either accept or reject. It then outputs the transcript ofits exchanges with V followed by R. DONE

It is clear that, M on G operates in polynomial time in the running timeof V. Since V is assumed to be probabilistic polynomial time, so is M.

To show that the probability space generated by m is identical to thatin View.sub.(P.sbsb.1.sub., P.sbsb.2.sub.,.sbsb.V), we notice that forfixed ρ (coin tosses of the verifier) and fixed R (joint random tape ofP₁ and P₂) the output of M(G) is identical toView.sub.(P.sbsb.1.sub.,P.sbsb.2.sub.,.sbsb.V). This is so as M actuallyruns V to obtain his moves and therefore V's moves are guaranteed to beperfectly simulated, while M itself follows the moves P₁, P₂ would havemade on joint random tape R. since ρ was picked by M at random at step1, it remains to argue that the probability that R was chosen by P₁ andP₂ is the same as the probability that R was output by M. This istrivially true by claim 1.2.

We claim, without proof here, that independent executions of the aboveprotocol for any language LεNP can be performed in parallel and theresulting protocol will still be a 2-prover perfect zero-knowledgeproof-system for L.

In the 1-prover model the question of whether it is possible in generalto preform parallel executions of perfect zero-knowledge protocolsmaintaining perfect zero-knowledge is unresolved. In particular, it isnot known how to parallelize the proof-systems for quadratic residuosityand graph isomorphism.

5 Proof of Theorem 4: IP_(i) =IP₂ for all k≧2

We now show that any k-prover (P₁, . . . , P_(k), V) interactiveproof-system for language L can be converted into a 2-prover (P₁, P₂, V)interactive proof-system. The idea is as follows.

Verifier V tosses all his coins and sends them to prover P₁. In return,P₁ sends V the entire history of communication that would have occuredfor theses coin tosses between the real verifier V and the k realprovers P_(i) 's. If this is an accepting conversation for V, V now usesP₂ to check the validity of the conversation. This is done by Vselecting at random an original prover P_(i), and simulating with P₂ theconversation between V and P_(i) on these coin tosses. If theconversation does not match the conversation sent by P₁ then V rejects,otherwise the protocol is repeated k times (in series) and finally Vaccepts.

Note that the number of rounds in the simulating protocol is k² t, wheret is the number of rounds in the k-prover interactive proof-system.Fortnow, Rompel and Sipser in [FRS] show that for each LεIP₂, thereexists a 3-prover IPS for L with only a constant number of rounds.

Theorem 5

Let k≧2. If LεIP_(k) then LεIP₂.

proof

Let L have a k-prover interactive proof-system (P₁, . . . , P_(k), V).Let I_(k) ={1,2, . . . k, $} and r denote the coin tosses made by theverifier. For a wεL, the optimal provers P₁, . . . , P_(k) and theverifier V can be though of as deterministic functions P_(i) : Σ*→Σ* andV: Σ*×I_(k) ×Σ*∪ {accept, reject} such that yi^(i) =P_(i) (h_(j-1)#x_(j) ^(i)) denotes the j-th message of the i-th prover to theverifier, x_(j) ³ =V(r,i,h_(j-1) ¹, . . . , h_(j-1) ^(k)) denotes thej-th message of the verifier to the i-th prover, and h_(j) ^(i) =#x₁^(i) #y₁ ^(i) #. . . #x_(j) ^(i) #y_(j) ^(i) denotes the history ofcommunication as prover i sees it at round j. Let t the total number ofrounds, then V(r,$,h_(t) ¹, . . . , h_(t) ^(k))ε{accept, reject}. Let Qbe a polynomial such that |r|, x_(j) ^(i) |, |y_(j) ^(i) |<Q|w|).

We now define provers P₁ and P₂ and verifier V in the simulatingtwo-prover protocol P₁, P₂, V.

On input w,

STEP 1

V chooses rε{0,1}^(Q)(|w|) at ramdom, sends r to P₁.

STEP 2

P₁ sends h₁ ¹, . . . , h_(t) ^(k) to V where the h_(t) ^(i') S arecomputed according to functions P₁, . . . , P_(k) and V. If (V(r,$,h_(t)¹, . . . , h_(t) ^(k))=reject then V rejects and halts. Otherwise Vpicks 1≦i≦k at random, sets j=1 and continues.

STEP 3

V sends u_(j) ^(i) =V(r,i,h_(j-1) ^(i)) to P₂, where h_(j) ^(i) =#u₁^(i) #v₁ ^(i) #. . . #u_(j) ^(i) #v_(j) ^(i) for j≦t. if j=t and h_(t)^(i) =h_(t) ^(i) then V accepts and halts, otherwise V rejects andhalts.

STEP 4

P₂ sends v_(j) ^(i) =P_(i) (h_(j-1) ^(i) #u_(j) ^(i)) to V. Set j=j+1and GOTO

claim 5.1

wεL,

    prob(V accepts w)=prob(V accepts w)

proof

If P_(i) follow the protocol as described above and compute the h_(t)^(i) according to the functions of the corresponding P_(i) 's, then forevery sequence of coin tosses r on which V would accept so would V.

Claim 5.2

If w L, prob(V accepts w)≦(prob(V accepts w)+e^(-k).

proof: sume w L. Then, the prob(V accepts w)≦prob(V accepts w| i≦k j≦t,y_(j) ^(i) =P_(i) (h_(j) ^(i) -1))+prob(V accepts w l, j s.t., y_(j)^(l) ≠P_(l) (h_(j) ^(l) -1))≦prob(V accepts w)+ prob(V(r,$,h_(t) ¹, . .. , h_(t) ^(k))=accept, and l≦k, s.t. h_(t) ¹ ≠h_(t) ^(l), but i of step4 is s.t. h_(t) ^(i) =h_(t) ^(i))≦prob(V accepts w)+(1-k/l).

If the above protocol is repeated k² independent times, the probabilityof success is reduced to prob(V accepts w)+(1-k/l)k² ≦prob(V acceptsw)+e^(-k).

This completes the proof, and L is indeed in IP₂.

6 Proof of Theorem 5: Completeness

Goldreich, Mansour and Sisper [GMS] showed that any LεIP has aninteractive proof-system for which strings in L are always accepted. Weshow the corresponding property for any LεIP₂.

Theorem 6:

If LεIP₂, then there exists a 2-prover proof-system (P₁, P₂, V) for Lsuch that for all x εL, prob(V accepts)=1.

proof

Suppose (P₁, P₂, V) is a 2-prover interactive proof-system for L suchthat ε=prob(V accepts |w not in L} and the number of coin tosses oninput w which V makes is a polynominal Q(|w|). We show a simulating2-prover interactive proof-system (P₁, P₂, V) for L which also achievescompleteness. The simulation is done in two stages. In stage 1, we usethe idea of the completeness proof for the 1-prover interactiveproof-system model by Goldreich, Mansour and Sisper in [MGS] (based onLautman's Lemma) where P₁ plays the part of both P₁ and P₂. In stage 2,as in the proof of the theorem of section 6, V uses P₂ to check thevalidity of stage 1.

Let t denote the number of rounds in (P₁, P₂, V). Again, consider P₁, P₂and V as determinstic functions as in the proof of theorem of section 6.

Let r denote the coin tosses of the verifier. For i=1, 2, let h_(t) ^(i)(r)=#x₁ ^(i) #y₁ ^(i) # . . . #x_(t) ^(i) #y_(t) ^(i) where x_(j) ^(i)=V(r, i, h_(j-1) ^(i) (r)), and y_(j) ^(i) =P_(i) (h_(j-1) ^(i)(r)#x_(j) ^(i)).

Define W={r|V(r, $, h_(t) ¹, h_(t) ²)=accept}. Note that for wεL,##EQU5## and for w not in ##EQU6## Lautman[L] shows that wεL s₁, . . . ,s_(Q)(|χ|), |s_(i) |=Q(|χ|), s_(i) |=Q(|χ|), s.t. r, |r|=Q(|χ|), l s.t.r ⊕s₁ εW. We use this in a manner similar to [GMS]. On input w,

STEP 1

P₁ sends V s₁, . . . , s_(Q)(|w|) such that s_(i) ε{0, 1}^(Q)(|w|);

STEP 2

V sends r to P₁ where r is randomly selected in {0, 1}^(Q)(|w|).

STEP 3

P₁ sends to V, h_(t) ^(i) (s_(j) ⊕r) for i=1, 2 and 1≦j≦Q(|w|). (Theseare the histories of conversations which would have been exchanged inoriginal protocol (P₁, P₂, V) on coin tosses r⊕s_(j), 1≦j≦Q(|w|).)

STEP 4:

if V(r⊕s_(j), h_(t) ¹ (r⊕s_(j)), h_(t) ² (r⊕s_(j)))=reject for all1≦j≦k, then V rejects. If l s.t. V(r⊕s_(l), h_(t) ¹ (r⊕s_(l)), h_(t) ²(r⊕s_(l)))=accept, then goto STEP 5.

STEP 5

V chooses iε{1, 2} at random. It then interacts with prover P₂ in thesame way that V and P_(i) would have on coin tosses r⊕s_(l). If thisinteraction produces exactly the same history string h_(t) ^(i)(r⊕s_(l)) sent by P₁ in STEP 3 then V accepts, otherwise it rejects.

The above protocol is repeated Q(|w|)s times, and the verifier acceptsif and only if he accepted in any of these iterations.

Claim 1

prob(V accepts |w|εL)=1

proof

if P₁, and P₂ follow the program outlined above, follows directly from[L] and [GMS].

Claim 2

prob(V accepts |w| not in L)≦1/3

proof

We now can not assume that P₁, P₂ follow the procotol. Let h_(ij), fori=1, 2, 1≦j≦Q(|w|) denote the strings sent by P₁ in STEP 3.

prob(V accepts in one iteration |w L)≦Σ_(l) prob(l, V(r⊕s_(l), h_(1l),h_(2l))=accept|P₁, P₂ honest)+prob(P₁, P₂ not caught in step 5 but j, i,h_(t) ^(i) (r⊕s_(j))≠h_(ij))≦Q(|w|). ##EQU7## Now, prob(V accepts inQ(|w|)³ iterations |w L)= ##EQU8## which is less than a 1/3 for εsufficiently small. QED

7 Proof of Theorem 2: Outline Overview

The proof of Theorem 2 is very long and complicated. The main idea ofthe proof is the implementation of a technique we call encryptedconversations. This is a general technique for transforming proofsystems into zero-knowledge proof systems. A protocol that has beentransformed using this technique closely mirrors the original protocol.Indeed, all the questions and answers of the transformed protocol can bemapped to questions and answers in the original protocol. However, thesequestions and answers are all strongly encrypted, in an informationtheoretic sense, using keys that are known by the provers, but not bythe verifier. Because the conversation is so strongly encrypted, theverifier gets no information, so the protocol is zero-knowledge.

Two concerns such a transformation must deal with are

• How can the verifier, who in a strong sense knows little of what hashappened in an encrypted conversation, be convinced that theconversation indeed mirrors a valid conversation from the originalprotocol? Also, how can the verifier be convinced that the unencryptedconversation would indeed have caused the original verifier to accept?

• How can one insure that a malicious verifier cannot subvert theencrypted protocol in order to acquire information in some way?

We deal with the first concern by showing how the provers and verifiercan take an encrypted transcript of the first i rounds of aconversation, and compute an encrypted transcript of the first i+1rounds of a conversation. This is done in such a way that the verifiercan verify with high probability that this is the case. We dealwith thesecond concern by insuring that the encrypted conversation, if generatedat all, will mirror a conversation between the prover and an honestverifier. Thus, if the verifier follows the simulation, he will onlyfind out whether the original verifier, on a random set of coin tosses,accepted. Since the original verifier accepts with probability 1, thisis no information. Furthermore, we guarantee that if the verifier doesnot go along with the simulation, he will not get any information.

In order to accomplish these goals, we use a very useful tool calledoblivious circuit computation. This tool, first developed by Yao[Yao86a], is a protocol by which two parties, A and B, possess secrets iand j respectively, and have agreed upon some circuit f. At the end ofthe protocol, A learns nothing about j, and B learns f(i, j), butnothing more about i than can be inferred from knowing j and f(i, j).The provers and verifier can compute the next step of an encryptedconversation by obliviously evaluating a circuit. We sketch thereduction from encrypted conversations to oblivious circuit evaluationin appendix A.3.

A large portion of our construction is devoted to implementing obliviouscircuit evaluation. Yao's implementation of this protocol relies oncomplexity theoretic assumptions, and is therefore unsuitable for ourpurposes. More recently, however, this protocol was implemented using asubprotocol known as oblivious transfer in lieu of any cryptographicassumptions [K]. In the standard, two-party scenario, oblivious transfercannot be implemented without complexity theoretic assumptions. However,we show that oblivious transfer can be implemented in the two-proverscenario without recourse to these assumptions. Our implementations usesa result of Barringtion [Ba] that NC¹ languages can be accepted bybounded width branching programs. We sketch our implementation inappendix A.2.

A Structure of the Transformed Protocol

Given a 2-prover IPS, we transform it into a zero-knowledge 2-prover IPSthat has three distinct phases. These stages will be referred to as thecommital phase, the oblivious transfer phase, and the encryptedconversation phase. In the commital phase of the protocol, the twoprovers commit a set of bits to the verifier. In the oblivious transferphase of the protocol, the provers and verifier create a random sequenceO of oblivious transfer bits. Sequence O has the following threeproperties.

• All of the bits of O are known to the provers.

• Each bit in O is known to the verifier with probability 1/2.

• Neither prover knows which bits in O the verifier knows.

The third and final stage actually simulates the original 2 prover IPS.In this stage, sequence O is used to perform oblivious circuitcomputation, which then allows the use of the encrypted conversationtechnique. We now describe the three phases in greater detail.

A.1 The Commital Phase.

It is necessary for the two provers to be able to commit bits for use inthe second, oblivious transfer phase of the protocol. This commital isof the same type as in the proof that any language in NP has azero-knowledge 2-prover IPS. We use the same commital protocol as isused in Section 5.

The bits committed to in the commital phase may be random. In order tocommit a bit b in the oblivious transfer phase, a prover can tell theverifier the value of b⊕b_(c), where b_(c) is a bit committed to in thecommital phase. To decommit b, the prover can then simply decommitb_(c).

A.2 The Oblivious Transfer Phase.

The oblivious transfer phase of the zero-knowledge IPS consists ofseveral parallel evaluations of the oblivious transfer protocol,described below.

Introduction to Oblivious Transfer

We can view oblivious transfer as a protocol between two parties, A andB. Initially, A knows some random bit b, which is unknown to B. At theend of the protocol, the following two conditions hold.

1. (The Transfer Condition) One of the following two events has occured,each with probability 1/2. Either B learns the value of b, or B learnsnothing. Player B knows which of the two events occurred.

2. (The Obliviousness Condition) Player A receives no information aboutwhether or not B learned the value of b.

Oblivious transfer, first introduced by Rabin[R], is a powerfulcryptographic primitive. Its applications include contract signing [EGL]and oblivious circuit evaluation ([Y], [GMW2], [GHY], [AF], [GV], [K]).The first implementation of oblivious transfer by Rabin [R] was based onthe difficulty of factoring and only worked for honest parties, Fischer,Micali, and Rackoff[FMR] presented the first implementation based onfactoring and robust against computationally bounded adversaries.Even-Goldreich-Lempel[EGL] reduced the intractibility assumption to theexistence of trap-door permutations.

Unfortunately, these reductions are all cryptographic in nature, andthus of no use to us. Our implementation, which is not based on anycryptographic assumptions, exploits the lack of direct communicationbetween the two provers.

A Variant of Oblivious Transfer in the 2-Prover Model.

We implement an analog to oblivious transfer in the two-prover model. Atthe beginning of the protocol, the provers know(have chosen) some randombit b, which the verifier does not know. The provers and the verifierhave also agreed on a security parameter K. At the end of the protocol,the following variants of the usual transfer and obliviousnessconditions hold.

1. (The Transfer Condition) One of the following events occurs withprobability 1/2. Either the verifier ffully learns the value of b (i.e.can predict b with probability 1), or the verifier gains only partialknowledge of b (i.e. can predict b with probability 3/4). The verifierknows which of the two events occurred.

2. (The Obliviousness Condition) Let K denote the security parameters.For all c>0, and for K sufficiently large, if the two proverscommunicate less than K bits of information, they cannot predict, withprobability 1/2+1/K^(c), whether the verifier fully learned b.

Our implementation of this oblivious transfer protocol requires aconstant number of rounds. The total number of bits of communicationbetween the provers and the verifier will by polynominal in K and thesize of the input.

Both the transfer and the obliviousness conditions are relaxed versionsof the standard ones. The transfer condition is relaxed purely for easeof implementation. Using the techniques of Crepeau-Kilian[CK], we canshow that achieving this weakened transfer condition is equivalent toachieving the ideal transfer condition. The standard obliviousnesscondition, however, cannot be implemented in this model if the twopprovers are allowed to freely communicate. To get around thisdifficulty, we show that for interactive proof systems, a set of bitstransferred under the nonideal obliviousness condition may be used inplace of a set of bits transferred under the ideal obliviousnesscondition.

Branching programs

The main idea behind the oblivious transfer protocol is a simulation ofwidth 5 permutation branching programs(W5PBP), as defined in [B]. Beforedescribing the protocol, we first present a slightly nonstandard way tospecify a W5PBP. We then show a way of randomizing this specification.Using this randomized representation, we can then describe our obliviousransfer protocol.

W5PBP's may be formally thought of as having some polynominal p(n)levels, each with five nodes. On level 1 there is a distinguished startnode s; on level p(n) there is a distinguished accept node a. For eachlevel, i, 1≦i<p(n), there is an input variable, which we denote byv_(i), and two 1--1 mappings, f₀ ^(i) and f₁ ^(i) that map the nodes atlevel i to the nodes at level i+1. Intuitively, the mapping f₀ ^(i)tells where to go if the input variable v_(i) is 0, and f₁ ^(i) tellswhere to go if v_(i), is equal to 1. A branching program may beevaluated by on a set of inputs by computing ##EQU9## If this value ifequal to the accept node a, the branching program accepts, otherwise, itis rejects. An example of a program is in FIG. 1.

As described above, our branching programs consist of variables, nodes,and functions from nodes to nodes. For our protocol, we need analternate representation for branching programs. Given a W5PBP, we firstpick a random mapping γ, that maps nodes to {1, . . . , 5}, subject tothe constraint that no two nodes on the same level are mapped to thesame number. We then replace each function f_(k) ^(i), kε{0, 1}, by apermutation h_(k) ^(i), subject to the constraint

    h.sub.k.sup.i (γ(N))=γ(f.sub.k.sup.i (N)),     (A.2.1)

for all nodes N on level i. From equations (A.2.1) and (A.2.2) we have##EQU10##

This isomorphism between evaluating the permutations h_(k) ^(i) on γ(s)and evaluating the original branching program proves very useful inimplementing oblivious transfer, as we will show in the next section.The following simple lemma is useful in analyzing the informationtransferred by the oblivious transfer protocol we will present.

Lemma A.1

Suppose that for each level, i, of a branching program, exactly one ofthe functions h₀ ^(i) or h₁ ^(i) is specified. Suppose also that forsome level j, γ(N) is specified for all nodes N on level j. Then thereis exactly one way of consistently defining γ and the functions h_(k)^(i).

Proof Outline

First, we note that specifying γ specifies all the h's. Thus we needonly show that there is exactly one way of consistently defining γ. Byequation A.2.2, we have

    γ(N)=h.sub.k.sup.i-1 (γ(f.sub.k.sup.i (N))), and (A.2.4)

    γ(N)=h.sub.k.sup.i (γ(f.sub.k.sup.i-1 (N))).   (A.2.5)

If γ is defined on level i, equation(A.2.4) uniquely extends it to leveli-1, and equation (A.2.5) uniquely extends it to level i+1. Inductively,one can uniquely extend γ from row j to the entire branching program.This extension is easily shown to be consistent.

The oblivious transfer protocol

We now outline the oblivious transfer protocol between the two proversand the verifier. For the exposition, we assume that the provers followthe protocol. It is not hard to convert this protocol to one that workswith adversarial provers.

Stage 1

Let n=K². Both provers initially start with some canonical W5PBP that,given two vectors x=[x₁ x₂ . . . x_(n) ] and y=[y₁ y₂ . . . y_(n) ],accepts iff x.y=1. They then agree on a random mapping γ, andpermutations h_(k) ^(i). The provers send the verifier the exclusive-orof b and the least significant bit of γ(a).

Stage 2

The verifier and Prover 1 pick a random vector x. The verifier andProver 2 pick a random vector y. As a subprotocol, the prover andverifier flip an unbiased coin in the following manner: Prover i choosesas his bit, r_(p), one of the bits committed in the commital phase ofthe protocol. The verifier chooses a bit r_(v) at random, and announcesit to Prover i. Prover i then decommits r_(p). The bit r, defined byr=r_(p) ⊕r_(v) will be unbiased if either Prover i or the verifier obeysthe protocol.

Stage 3

Prover 1 sends the verifier the permutations h_(v) ^(i), for all i suchthat v_(i) =x_(j) for some j. Likewise, Prover 2 sends the verifier thepermutations h_(v) ^(i), for all i such that v_(i) =y_(i) for some j.For example, if v_(i) =y₇, and y₇ =0, then Prover 2 would send theverifier h₀ ^(i), but not send him h₁ ^(i).

We now show how to convert this protocol to one in which the provers maybe adversarial. First, we require that the provers commit their γ andtheir permutations h₀ ^(i) and h₁ ^(i) at Stage 1 of the oblivioustransfer protocol, using the commital protocol described in section 1.The verifier must be assured that the following two conditions are met.

1. The permutations it receives correspond to those that have beencommitted, and

2. The permutations and γ correspond to a legitimate randomizedbranching program.

The first condition is assured by having the provers decommit theirpermutations in Stage 3 of the protocol. To assure that the secondcondition is met, we have the verifier perform a "spot-check" withprobability 1/n^(c), where n is the size of the input, and c is somepositive constant. To perform a spot-check, the verifier halts theoblivious transfer protocol at the beginning of Stage 2. Instead ofusing the committed W5PBP to implement oblivious transfer, the verifierrequests that ↓ and all the hash functions are revealed. The verifiercan then check whether or not the two provers gave a legitimaterandomized W5PBP, and reject if they did not. Note that it is onlynecessary for the verifier to be able to detect cheating by the proverssome polynominal fraction ofthe time. This probability may be amplifiedby successively running the zero-knowledge proof system sufficientlymany times.

Properties of the Oblivious Transfer Protocol

The following theorems state that the above protocol does indeedimplement out variant of oblivious transfer.

Theorem

(Transfer) After the above protocol has been executed, one of thefollowing two events may occur, each with probability 1/2.

(1) The verifier knows the value of b.

(2) The verifier can guess the value of b with probability at most 3/4.

Furthermore, the verifier can tell which event occurred.

Proof Outline

Suppose, that x·y=1. Then the verifier can compute γ(a), and thuscompute b. This corresponds to event (1). Now suppose that x·y≠1. Theverifier knows, for each level i, exactly one of the functions h₀ ^(i)or h₁ ^(i). The verifier can also compute γ(a'), where a' is also on thelast level, and a'≠a. Everything else the verifier knows can be computedfrom this information. Using Lemma 1, we have that any specification ofγ on the top level nodes can be consistently extended in exactly oneway. Thus, the verifier has no information about γ(a) other than thefact that γ(a)≠γ(a'). The verifier's predictive ability is maximizedwhen γ(a') is even, in which case the conditional probability that γ(a)is odd is 3/4. In this situation, the verifier can predict b withprobability 3/4.

Theorem

(Obliviousness) Let c be a constant, c<0, and K, the security parameter,be sufficiently large (possibly depending on c). If, after the aboveprotocol has been executed, the two provers exchange only K bits ofinformation, they cannot predict, with probability 1/2+1/K^(c), whetherthe verifier received the bit.

Proof Outline

We again use the observation that the verifier receives a bit iff thedot product of the two randomly chosen vectors is equal to 1.Determining if the verifier received the bit is equivalent to computingthe dot product of two random vectors of size n. We now cite a theoremof Chor and Goldreich [CG] concerning the communication complexity ofcomputing dot products.

Theorem[CG]

Let players A and B each receive random n bit boolean vectors, x and yrespectively. If they exchange o(n) bits, they cannot predict x·y withprobability greater than 1/2+1/n^(c), for any c.

Our theorem follows directly from this result.

Ideal versus Nonideal Oblivious Transfer Bits

As we have mentioned above, the oblivious transfer protocol we implementis nonideal in the obliviousness conditions. The nonideal nature of theobliviousness condition is inherent to our model, if the transfercondition is indeed ideal in the information theoretic sense. If the twoinfinitely powerful provers are allowed to communicate freely, they caneach learn the entire transcript of the oblivious transfer protocol, andthus determine everything the verifier could have learned from theprotocol. This violates the obliviousness condition of oblivioustransfer, yielding the following observation.

Observation

It is impossible to implement an ideal oblivious transfer protocolbetween two provers and a verifier if the provers are allowed tocommunicate freely after the protocol.

The nonideal nature of the oblivious condition does not affect whether aprotocol is zero-knowledge; the verifier learns exactly as much from apseudo-oblivious source as from an oblivious one. However, using apseudooblivious source of bit instead of an ideal source couldconceivably cause a protocol to no longer be a proof system. We showthat, provided the security parameter for our pseudo-oblivious source issufficiently high, this will not be the case.

Formalizing Proof Systems with Oblivious Transfer Channels

In order to state our result more precisely, we first augment ourdefinition of two-prover interactive proof systems by adding a fourthparty, a transfer source.

Definition

A two-prover interactive protocol with oblivious transfer consists of afour-tuple of parties, <P₁, P₂, V, T>. Parties P₁, P₂, V may be formallydescribed as mappings from sequences of Σ* (informally, the history ofthat party's conversation so far) to distributions on Σ* (informally,the next answer/question given/asked by the party).

Player T may be formally described as a mapping form {0, 1}* to adistribution on triples (I_(P).sbsb.1, I_(P).sbsb.2, I_(V)). The valuesI_(P).sbsb.1, I_(P).sbsb.2 may be informally thought of as informationleaked back to the provers, P₁ and P₂, by a possibly nonideal oblivioustransfer protocol. The possible values of I_(V) on input O=O₁, . . . ,O_(k) are elements of {0, 1, #}*, of the form O'₁ . . . O'_(k), whereO'_(i) =O_(i) or O'_(i) =#. Informally, I_(V) consists of the bits thatare transferred to the verifier, V.

For the rest of the discussion, we will anthromorphize our descriptionsof the P₁, P₂, V and T, describing their behavior in terms of actions byplayers instead of as values of functions.

Protocols with oblivious transfer are evaluated in nearly the same wayas standard protocols, but for an initial oblivious transfer phase. Atthe beginning of the protocol, the provers, P₁ and P₂, agree on asequence of bits O, which they send to the transfer mechanism, T. Thetransfer mechanism sends some of these bits to the verifier, and sendsadditional information back to the two provers. At this point, T nolonger plays any part in the protocol, and the players P₁, P₂, and Vproceed to interact in the same manner as with standard two-proverprotocols. Players P₁, P₂, and V treat their views of the oblivioustransfer phase as special inputs.

Modeling ideal and nonideal sources in our formalism

We now give a specification for an oblivious transfer mechanism whichmodels the information received by the provers by the actual oblivioustransfer mechanism we have implemented in the two-prover model.

Specification

Oblivious transfer mechanism T_(n),k is specified by its input from theprovers and its output to the provers and the verifier. T_(n),k takes asinput a sequence of bits O=O₁, . . . , O_(k). It flips k coins, b₁, . .. , b_(k). T_(n),k randomly selects two sequences of n element booleanvectors, x₁, . . . , x_(k) and y₁, . . . , y_(k), subject to x_(i).y_(i)=b_(i). T_(n),k 's output is as follows.

Transfer to V

T_(n),k sends the verifier sequence O'=O₁ ', . . . , O_(k) ' where O_(i)'=O_(i) iff b_(i) =1. Otherwise, O_(i) '=#.

Transfer to P₁

T_(n),k sends P₁ the sequence x₁, . . . , x_(k).

Transfer to P₂

T_(n),k sends P₂ the sequence y₁, . . . , y_(k).

This model for our transfer channel makes the following simplifications.The verifier does not get any partial glimpses at bits that it hasn'tcompletely received, whereas in the actual protocol, it may guess itwith probability 3/4. Also, it does not get any record of itsinteractions with the provers in the oblivious transfer protocol. Forinstance, in the actual protocol, the verifier would also known x_(i) 'sand y_(i) 's, whereas in this model it does not. These simplificationsturns out to be irrelevant to our analysis, since the valid verifiercompletely disregards all of this extra information.

More significantly, the provers do not receive any of the extrainformation they might obtain in the commital and oblivious transferphases. One can show that any pair of provers which have any chance offooling the verifier must abide by rules of the commital and oblivioustransfer protocols. The extra information they receive from an honestrun of these protocols is of no value to them. They may, in a certaintechnical sense, simulate all of this extra information, once giventheir respective vector sequences x₁, . . . , x_(k) and y₁, . . . ,y_(k). Thus, the provers cannot cheat any more effectively using oursimplified channel than they could using the actual commital andoblivious transfer protocols. The details of this argument are ommitted.

Modeling an ideal oblivious transfer mechanism

It is fairly straightforward to model an ideal oblivious transfermechanism in our formalism. We denote this transfer channel T_(k)^(ideal), which we specify as follows.

Specification

Oblivious transfer mechanism T_(k) ^(ideal) is specified by its inputfrom the provers and its output to the provers and the verifier. T_(k)^(ideal) takes as input a sequence of bits O=O₁, . . . , O_(k). It flipsk coins, b₁, . . . , b_(k). It randomly selects two sequences of nelement boolean vectors, x₁, . . . , x_(k) and y₁, . . . , y_(k). T_(k)^(ideal) 's output is as follows.

Transfer to V

T_(k) ^(ideal) sends the verifier sequence O'=O₁ ', . . . , O_(k) 'where O_(i) '=O_(i) iff b_(i) =1. Otherwise, O_(i) '=#.

Transfer to P₁ and P₂

T_(k) ^(ideal) sends nothing to P₁ or P₂.

A practical equivalence between T_(n),k and T^(ideal)

We can now state our theorem concerning the the practical equivalence ofour oblivious transfer protocol and the ideal one.

Theorem

Let <P₁, P₂, V, T_(p)(n)^(ideal) > be an interactive proof system withoblivious transfer. Here, p(n) denotes some polynomial in the size ofthe input. Then there exists some some polynomial q(n) such that <P₁,P₂, V, T_(q)(n),p(n) > is also an interactive proof system withoblivious transfer.

Brief Outline of Proof

The proof of this theorem is somewhat involved. We show that if onecould cheat more effectively using a T_(q)(n),p(n) transfer channel, forq(n) arbitrarily large, then one could use this fact to create aprotocol for computing the dot product of two random q(n) elementboolean vectors. The communication complexity for this protocol willdepend on V and n, but not on the function q. From this it is possibleto use the Chor-Goldreich lower bound on the communication complexity ofboolean dot product to reach a contradiction.

In order to constuct the protocol for computing boolean dot products, wefirst define a sequence of transfer mechanisms that are intermediatebetween our nonideal and ideal transfer mechanisms. We show that if theprovers can cheat using the nonideal transfer mechanism, then twoconsecutive transfer mechanisms in our sequence can be distinguished. Wethen show how to use these transfer mechanisms to generate two verysimple and very similar transfer mechanisms whose behavior isdistinguishable. Finally, we use the distinguishability of this finalair of transfer mechanisms to create a protocol for boolean dot-product.We proceed to formalize this argument.

Transfer mechanism that are intermediate between the ideal and nonidealmodels

We specify a sequence of oblivious transfer mechanisms as follows.

Specification

Oblivious transfer mechanism T_(n),k^(i) is specified by its input fromthe provers and its output to the provers and the verifier. T_(n),k^(i)takes as input a sequence of bits O=O₁, . . . , O_(k). It flips k coins,b₁, . . . , b_(k). T_(n),k^(i) randomly selects two sequences of nelement boolean vectors, x₁, . . . , x_(k) and y₁, . . . , y_(k). For1≦j≦i, vectors x_(j) and y_(i) are subject to the constraint x_(i)·y_(i) =b_(j). T_(n),k^(i) 's output is as follows.

Transfer to V

T_(n),k^(i) sends the verifier a sequence O'=O₁ ', . . . , O_(k) ' whereO_(i) '=O_(i) iffb_(i) =1. Otherwise, O_(i) '=#.

Transfer to P₁

T_(n),k^(i) sends P₁ the sequence x₁, . . . , x_(k).

Transfer to P₂

T_(n),k^(i) sends P₂ the sequence y₁, . . . , y_(k).

The only difference between T_(n),k and T_(n),k^(i) is that the vectorssent to the provers by T_(n),k all have some correlation with whetherthe bit was sent to the verifier, whereas only the first i vectors sentto the provers by T_(n),k^(i) are so correlated. Note that T_(n),k^(o)is equivalent to the ideal channel T_(k) ^(ideal), and T_(n),k^(k) isequivalent to T_(n),k.

Analysis of cheating probabilities for different transfer mechanisms

The sequence of oblivious transfer mechanisms we defined above is"continuous" in that any two consecutive mechanisms are onlyincrementally different from each other. Using an argument similar tothat of [GM], we show that if the probability of successfully cheatingusing one transfer mechanism in the sequence is significantly greaterthan the probability of successfully cheating using a different transfermechanism in the sequence, then there must be two consecutive mechanismswhich differ in the probability of a particular cheating strategy beingsuccessful.

Definition

Let L be some language, and <P₁, P₂, V, T_(p)(n)^(ideal) > a two-proverIPS for L, with oblivious transfer. For some x L, |x|=n, we definecheat_(ideal) (x) as the probability that V can be tricked intoaccepting x.

We wish to analyze how frequently the provers can cheat if they use anonideal transfer mechanism, T_(q)(n),p(n). Let P₁,q(n), P₂,q(n) beoptimal cheating provers for the protocol <P₁,q(n), P₂,q(n), V,T_(q)(n),p(n) >. For x L, |x|=n, we define cheat_(q)(n)^(i) (x) as theprobability that P₁,q(n), P₂,q(n) causes V to accept x in protocol<P₁,q(n), P₂,q(n), V, T_(q)(n),p(n)^(i) >. Clearly, we havecheat_(q)(n)⁰ (x)≦cheat_(ideal) (x). We also have, by definition. thatcheat_(q)(n)^(p)(n) (x) is the maximum probability that any provers cantrick V into accepting x, using transfer mechanism T_(q)(n),p(n).

Using a simple pigeonhole argument, we can show the following.

Lemma A.2

Let x L, and |x|=n. For all polynominals q(n), there exist some i,0≦i<p(n), such that ##EQU11##

We now show that if for for all polynomials q(n), there exists a c>0,such that cheat_(q)(n)^(i+1) (x)-cheat _(q)(n)^(i) (x)>1|x|^(c) forinfinitely many x, then we can create efficient algorithms for computingdot products of random vectors. To do this, we first must introduce thenotion of "hardwired" versions of transfer mechanisms T_(q)(n),p(n)^(i).

Restricted versions of oblivious transfer mechanisms

Given two easily distinguishable mechanisms T_(q)(n),(n)^(i) andT_(q)(n),p(n)^(i+1), we would like to create even simpler pairs ofmechanisms that are easily distinguishable, yet preserve the essentialdifferences between T_(q)(n),p(n)^(i) and T_(q)(n),p(n)^(i+1). Weobserve that the only difference between these two mechanisms lies inthe distibutions imposed on the vectors x_(i+1) and y_(i+1) which aresent to P₁,q(n) and P₂,q(n). We would like to be able to fix all theother aspects of these channels. To do this, we make the followingdefinitions.

Definition

A transfer restriction R εR_(n),k^(i) is a 3-tuple (R_(b), R_(x),R_(y)), where

•R_(b) is a sequence of bits, b₁, . . . , b_(k).

•R_(x) is a k-1 element sequence of n element boolean vectors, x₁, . . ., x_(i-1), x₊₁, . . . , x_(k).

•R_(y) is a k-1 element sequence of n element boolean vectors, y₁, . . ., y_(i-1), y_(i-1), . . . , y_(k).

Furthermore, we require that for 1>j<i, x_(i) ·y_(j) =b_(j).

Intuitively, we can think of RεR_(n),k^(i) as a specification for whichbits get through to the verifier, and, except fot the ith bit,specifications for which vectors are transmitted back to the provers.

Definitions

Given a transfer restriction RεR_(n),k^(i) We specify a restrictedversion of T_(n),k^(i) which we denote by T_(n),k^(i) [R], as follows.

Specification

Oblivious transfer mechanism T_(n),k^(i) [R] takes as input a sequenceof bits O=O₁, . . . , O_(k). Let R_(b) =b₁, . . . , b_(k), R_(x) =x₁, .. . , x_(i-1), x_(i+1), . . . , x_(k), and R_(y) =y₁, . . , y_(i-1),y_(i+1), . . . , y_(k). T_(n),k^(i) [R] randomly selects two n elementboolean vectors, x_(i) and y_(j). If j≦i, then x_(j) and y_(j) arechosen s.t x_(j) ·y_(j) =b_(j). T_(n),k^(i) [R]'s output is as follows.

Transfer to V

T_(n),k^(i) [R] sends the verifier sequence O₁ ', . . . , O_(k) ' whereO_(i) '=O_(i) iffb_(i) =1. Otherwise, O_(i) '=#.

Transfer to P₁

T_(n),k^(i) [R] sends P₁ the sequence x₁, . . . , x_(k).

Transfer to P₂

T_(n),k^(i) [R] sends P₂ the sequence y₁, . . . , y_(k).

Analysis of cheating with respect to restricted transfer mechanisms

Recall that provers P₁,q(n) and P₂,q(n) cheat optimally, given oblivioustransfer mechanism T_(q)(n),p(n). We would like to described whathappens when these provers are run using restricted transfer mechanisms.To this end, we define cheat_(q)(n)^(i) [R](x) as the probability thatP₁,q(n), P₂,q(n) causes V to accept x in protocol <P₁,q(n), P₂,q(n), V,T_(q)(n),p(n)^(i) [R]>.

Using a simple probabilistic argument, we prove the following importantlemma.

Lemma A.3

Let x L, and |x|=n. Let 1≦i<p(n). For all polynomials q(n), there existsa restriction RεR_(q)(n),p(n)^(i+1)) such that ##EQU12##

Using T_(q)(n),p(n)^(i) [R], T_(q)(n),p(n)^(i+1) [R] to compute dotproducts

Recall that a restriction RεR_(q)(n),p(n)^(i+1)) defines the entireinput/output properties of a restricted transfer protocolT_(q)(n),p(n)^(i) [R], but for the output vectors x_(i), y_(i)transmitted back to the provers. If the two provers have a sourceM_(q)(n), which produces vector pairs x,y, of size q(n) and sends themto Prover1 and Prover2, respectively, we can use it to stimulateT_(q)(n),p(n)^(i) [R].

We also note that, if allowed to communicate directly, two provers can"simulate" the verifier in the following way. They can send to eachother the messages they would have sent to the verifier. By knowing theset of transfer bits, which bits were received by the verifier, and atranscript of the conversation so far between the verifier and theprovers, the provers can determine exactly what the verifier's nextquestion in the conversion will be.

We now can explicitly write down a protocol for computing the dotproduct of random boolean vectors. The assume that the two parties P₁and P₂ have agreed on some x(x L.|x|=n), q, i, and R=(R_(b), R_(x),R_(y)) ε R_(q)(n),p(n)^(i+1)). The protocol is specified as follows.Player P₁ receives a random boolean vector x, and player P₂ receives arandom boolean vector y. At the end of the protocol, player P₁ outputs a0 or 1, which hopefully corresponds to x·y.

Protocol

Dot-Product(x,y)/* P₁ knows x, P₂ knows y, and |x|=|y|=q(n)*/ P₁ and P₂simulate the protocol <P₁,q(n), P₂,q(n), V, T_(q)(n),p(n)^(i) [R]>, oninput x. They treat vectors x and y as substitutes for x_(i+1), y_(i+1)(which are not defined by R).

If the simulated verifier accepts, then P₁ outputs b_(i+1), were R_(b)=b₁, . . . , b_(p)(n). Otherwise it outputs the complement of b_(i+1).

We now analyze the communication complexity of this protocol.

Definition

Given a two-prover protocol P=P₁, P₂, V, T>, and some input x, we definethe leakage L(P,x) as the total number of bits transmitted from theprovers to the verifier.

The following lemma follows immediately from the definition ofDot-Product.

Lemma A.4

Let P=<P₁,q(n), P₂,q(n), V, T_(q)(n),p(n)^(i) [R]>. Then protocolDot-Product requires L(P,x) bits of communication.

Finally, we can bound below Dot-Product's success rate on random vectorsby the following lemma.

Lemma A.5

Given q(n) bit vectors x, y distributed uniformly, the probability thatDot-Product (x,y)=x·y is at least ##EQU13##

Proof

Our proof is by a straightforward calculation of conditionalprobabilities, which we outline below. We define the variables good andbad by ##EQU14##

The probability the Dot-Product yields the correct answer is equal to##EQU15## We now solve for good and bad in terms of cheat_(q)(n)^(i)[R](x) and cheat_(q)(n)^(i+1) [R[(x). Using our definitions forcheat_(q)(n).sup.[ [R](x) and cheat_(q)(n)^(i+1) [R](x), we have##EQU16## Solving for good and bad, we have ##EQU17##

Substituting equations (A.2.12) and (A.2.13) into equation A.2.9), andsimplifying, we get equation (A.2.8).

A.3 Implementing zero-knowledge with circuits

In this section we outline a technique we call the method of encryptedconversations. This technique represents a fairly general methodologyfor converting protocols into zero-knowledge protocols. Its mainrequirement is the ability of the parties involved to perform obliviouscircuit evaluation.

A normal form for two-prover IPS's

For ease of exposition, we consider a normal form for two-proverinteractive proof systems (IPS's). This normal form consists of threestages, as described below.

Notation

Throughout this section, q_(i) (x,r,.,.,.) will denote that i-thquestion of the verifier computed on his random coin tosses r, the inputx, and the history of the communication so far. (a_(i) correspond to theprovers answers).

Stage 1

On input x, where |x|=n, the verifier generates a sequence r=r₁, . . . ,r_(p)(n) of random bits. The verifier computes his first question, q₁=q₁ (x,r).

Stage 2

The verifier sends q₁ to Prover 1. Prover 1 sends its answer, a₁ back tothe verifier. The verifier computes his second question, q₂ =q₂(x,r,a₁).

Stage 3

The verifier sends q₂ to Prover 2. Prover 2 sends its answer, a₂, backto the verifier. The verifier computes its decision predicate,accept(x,r,a₁,a₂), and accepts iff accept(x,r,a₁,a₂) evaluates to"true".

We use the following result.

Theorem(normal form for 2 prover IPS's)

Given any two prover IPS P for a language L, there exists an IPS P',with the following 2 properties.

1. If xεL then prob(P'(x) accepts)=1.

2. There exists some c>0 such that if x L then prob(P'(x)accepts)≦1-1/|x|^(c).

Remark

It is currently open whether the ≦1-1/|x|^(c) failure probability can bereduced. However, if greater reliability is desired, one may run anormal form protocol several times serially to achieve an exponentiallylow probability of failure.

We now need to show how to convert an IPS in normal form into azero-knowledge IPS.

Conceptually, we would like to have the use of a black box into whichthe verifier inputs an encrypted history of the communication, theprover inputs its answer to the question and the output which is givento the verifier is the encrypted answer of the prover and the encryptednext question of the verifier. See FIG. 2.

The encryption scheme used to encrypt the questions and answers shouldbe an information theoretically strong encryption scheme with respect tothe verifier, while the provers will be given the ability to decrypt.

We describe how this is achieved in the following section A.3.1. The boxis achieved by the technique of oblivious circuit evaluation asdescribed in section A.3.2.

A.3.1 Strong encryption using 2-universal hash functions

We need a cryptographic system (call it E for the sake of discussion)which is both unbreakable, and existentially unforgeable. Byunbreakable, we means that if one is given E(x), an encryption of x, butone does not have the decryption key, then one cannot infer anythingabout x. By existentially unforgeable, we mean that if one is givenE(x), an encryption of x, but one does not have the decryption key, thenone cannot produce any string forge such that forge=E(y) for some y.These security requirements are information theoretic, and must apply tosomeone with arbitrary computational power.

To accomplish this, we use the notion of universal hash functions, firstintroduced by Carter and Wegman[CW]. In addition, we require thefollowing property of our universal sets.

Definition

A family of 2-universal sets H_(n) of functions h:{0,1}^(n) →{0,1}^(n)is almost self-inverse iff for all c, and for all n sufficiently large(with respect to c), a function h, picked uniformly from H, will have aninverse h⁻¹ εH with probability >1-n^(-c).

One example of an almost self-inverse 1-universal set of hash functionsis the set of linear equations over GF(2^(n)). As there is a trivialcorrespondence between {0,1}^(n) and GF(2^(n)). As there is a trivialcorresondence between {0,1}^(n) and GF(2^(n)), we treat all our elementsas being in {0,1}^(n).

For our encryption system, we require that all legal message m arepadded with a number of trailing 0's equal to the length of the originalmessage. We encrypt a message mε{0,1}^(n) by applying some uniformlyselected function hεH_(n) to it. We can decrypt h(m) by by applying itsh⁻¹ to it. For our purposes, we can safely ignore the possibility that auniformly chosen h isn't invertible. The following lemma shows that thisencryption scheme is unbreakable and unforgeable.

Lemma

Let h be chosen uniformly from H_(n). Then

    (unbreakability) (x,yε{0,1}.sup.n)prob(h(x)=y)=2.sup.-n. (1)

    (unforgeability) (x,y,zε{0,1}.sup.n)prob(wε{0,1}.sup./2 0.sup.n/2)h(w)=z|h(x)=y)=2.sup.-n/2.             (2)

Proof

Both properties follow immediately from the definition of 2-universalhash functions.

In the protocol the provers will agree on four random hash functions h₁,h₂, h₃, h_(r) □H_(p)(n). At the end of the protocol, the verifier willpossess the values of h₁ (r), h₂ (q₁), and h₃ (a₁), but will not possessany extra information about which functions h₁, h₂ and h₃ actually are.However, knowing the value of h(x) gives no information, in theinformation theoretic sense, about the value of x. This is roughly howthe zero-knowledge aspect of our protocol is achieved.

A.3.2 Use of oblivious circuit evaluation

We use the reduction of Kilian[K] from oblivious transfer to obliviouscircuit computation. This reduction maintains the usual securityproperties desired of oblivious circuit evaluation, without recourse toany intractibility assumptions.⁵ Its sole requirement is a sequenceO=O₁, . . . , O_(p)(n) of bits, all of which are known to A, and half ofwhich are known to B(a more detailed description of this condition isgiven in section A.2). This set of bits (or, more technically, areasonable approximation to such a set) is provided by the oblivioustransfer protocol outlined in section A.2 for the rest of thisdiscussion, we treat oblivious circuit evaluation as a primitiveoperation.

A.3.3 Outline of the Zero-Knowledge Protocol

We can now describe our zero-knowledge transformed protocol For ourexpositions, we still treat oblivious circuit computation of as aprimitive. (A description of circuits C_(o), C₁, C₂ and C₃ is givenfollowing the protocol.) Note the similarity between this descriptionand the description of the normal-form for protocols given above.

On input x, where |x|=n.

Step O

Provers 1 and 2 agree on random invertible hash functions h₁, h₂, h₃, h₄εH_(2p)(n), and random string r₁ ε{0,1}^(p)(n). The verifier selects arandom string r₂ ε{0,1}^(p)(n). The verifier and Prover 1 evaluater'=C_(o) [x](r₁,r₂,h₁). (/r will the random coin tosses to be used bythe verifier).

Step 1

The verifier and Prover 1 then evaluate q₁ '=C₁ [x](r',h_(i) ⁻¹,h₂), theencrypted version of the verifier's first question.

Step 2

The verifier sends q₁ ' to Prover 1. If h₂ ⁻¹ (q₁ ') does not decrypt toa legitimate message, then Prover 1 halts the conversation. Otherwise,Prover 1 computes his answer, a₁, and sends the verifier a₁ '=h₃ (a₁).The verifier and Prover 1 evaluate q₁ '=C₂ [x](r',a₁ ',h₁ ⁻¹,h₃ ⁻¹,h₄),the encrypted version of the verifiers second question.

Step 3

The verifier sends q₂ ' to Prover 2. If h₄ ⁻¹ (q₂ ') does not decrypt toa legitimiate message, then Prover 2 halts the conversation. Otherwise,Prover 2 computes his answer, a₂. The verifier and Prover 2 evaluatedecision=C₃ [x](r',a₁ ',a₂,H₁ ⁻¹,h₃ ⁻¹).

At the end of this protocol, verifier accepts iff decision=true.

We now describe circuits C_(i) for i=0,1,2,3.

For each circuit, we give the input from the prover, the input from theverifier, and the output given to the verifier. We adopt the conventionthat |x|=n, and assume without loss of generality that all strings beingexchanged in the protocol are of length p(n), for some polynomial p. Weuse the following simple functions to simplify our exposition. Functionpad_(n) :{0,1}^(n) →{0,1}^(2n) pads an extra n zeros onto the end of ann-bit string Function strip_(n) :{0,1}^(2n) →{0,1}^(n), which removesthe last n bits from a 2n-bit string. Predicate legal_(n) :{0,1}^(2n)→{true,false} is true iff the last n bits of the input string are equalto 0.

C_(o) [x]

Input from the prover

A sequence of bits, b=b₁, . . . , b_(p)(n), and a hash functionhεH_(2p)(n).

Input from the verifier

A sequence of bits c=c₁, . . . , C_(p)(n).

Output to the verifier: Output(h(pad_(n) (b⊕c))).

Circuit C_(o) [x] is the initialization circuit that creates theverifiers random bits in Stage 1 of the protocol described above.

    ______________________________________                                               C.sub.1 [x]:                                                                  Input from the prover:                                                        Hash functions h.sub.1.sup.-1, h.sub.2 ε H.sub.2p(n).                 Input from the verifier:                                                      String r' ε {0;1}.sup.2p(n).                                          Output to the verifier:                                                       r = h.sub.1.sup.-1 (r')                                                       If legal.sub.p(n) (r) = false                                                 Then Output(O.sup.2p(n))                                                      Elde r = strip.sub.p(n) (r)                                                   q.sub.1 = q.sub.1 (x,r)                                                       Output(h.sub.2 (pad.sub.p(n) (q.sub.1)))                               ______________________________________                                    

Circuit C₁ [x] is used to implement Stage 1 of the protocol describedabove.

    ______________________________________                                        C.sub.2 [x]:                                                                  Input from the prover:                                                        Hash functions h.sub.1.sup.-1, h.sub.4 ε H.sub.2p(n)                  Input from the verifier:                                                      Strings r', a'.sub.1  ε {0,1}.sup.2p(n)                               Output to the verifier:                                                       r = h.sub.1.sup.-1 (r')                                                       a.sub.1 = h.sub.3.sup.-1 (a.sub.1 ')                                          If (legal.sub.p(n) (r) and legal.sub.p(n) (a.sub.1) = false                   Then Output(O.sup.2p(n))                                                      Else r = strip.sub.p(n) (r)                                                   a.sub.1 = strip.sub.p(n) (a.sub.1)                                            q.sub.2 = q.sub.2 (x,r,a.sub.1)                                               Output(h.sub.4 (pad.sub.p(n) (q.sub.2)))                                      ______________________________________                                    

Circuit C₂ [x] is used to implement Stage 2 of the protocol describedabove.

    ______________________________________                                        C.sub.3 [x]:                                                                  Input from the prover:                                                        Hash functions h.sub.1.sup.-1, h.sub.3.sup.-1 ε H.sub.2p(n),          String a.sub.2 ε {0,1}.sup.p(n)                                       Input from the verifier:                                                      Strings r', a'.sub.1 ε   {0,1}.sup.2p(n).                             Output to the verifier:                                                       r = h.sub.1.sup.-1 (r')                                                       a.sub.1 = h.sub.3.sup.-1 (a.sub.1 ')                                          If(legal.sub.p(n) (r) and legal.sub.p(n) (a.sub.1)) = false                   Then Output(O.sup.2p(n))                                                      Else r = strip.sub.p(n) (r)                                                   a.sub.1 = strip.sub.p(n) (a.sub.1)                                            Output(accept(x,r,a.sub.1,a.sub.2))                                           ______________________________________                                    

Circuit C₃ [x] is used to implement Stage 3 of the protocol describedabove.

The two obvious questions we must deal with are, "Is this protocol stilla proof system?", and "Is this protocol zero-knowledge?"

Is this protocol a proof system?

If the verifier is honest, and if the provers input the correct hashfunctions, and their inverses, into the circuits being evaluated, thenone can map transcripts of conversations in this protocol intotranscripts of the original protocol (with possibly cheating provers).In this case, the provers cannot cheat any more effectively they couldin the original protocol, and the new protocol will remain a proofsystem if the original one was.

If the provers do not input consistent sets of hash functions, thennothing can be guarenteed about whether the protocol remains a proofsystem. However, using the machinery developed in [K], it is possiblefor the provers to commit, at the beginning of the protocol, all thehash functions they input to the circuits, along with a zero-knowledgeproof that these inputs are consistent with each other.

Is this protocol zero-knowledge?

The proof that this protocol is zero-knowledge is, while not overlycomplex or difficult, relies too heavily on machinery from [K] to beconcisely presented here. We make the following intuitive argument forwhy the protocol is zero-knowledge.

First, note that the verifier's actions are severely restricted by theuse of circuits and the encryption scheme. Except for its random bits,all the inputs it gives to the provers or the circuits are encryptedwith an unforgeable system. If the verifier ever attempts to give anincorrect string to a prover, the prover will detect the forgery willprobability exponentially close to 1. Likewise, if the verifier inputsan incorrect string to a circuit, it will almost certainly output either0^(2p)(n) or false. This rules out any active attack on the part of theverifier.

Second, we show that passive attacks by the verifier do not yield ayinformation. The intermediate outputs of circuits C₁, . . . , C₃ are alluniformly distributed, and thus yield no information.

F Applications of the two-processor system to general protocols

Our two-processor system can be used to solve problems more general thansimple identification. A two-processor smart card (or other similarsystem) can interact with another agency in any general two-partyprotocol. Let X designate a string, number, or other encoding of someinformation possessed by a two-processor smart card (or other similarsystem). Let Y designate a string, number, or other encoding of someinformation possessed by a second party. This second party may have theability to isolate the two processors on the smart card (or othersimilar system), or the processors may be isolated by some furtherexternal mechanism.

Let F be any function which may be described by a circuit. Then thetwo-processor smart card (or other similar system) can interact with thesecond party, so that the following conditions hold.

1. The second party learn the value of F(X,Y).

2. For as long as the two processors on the smart card (or other similarsystem) cannot compute any information about Y. Thus, subject to theisolation condition being maintained, the second party's security isunconditionally protected in this phase of the interaction. Thissecurity does not depend on any assumptions about the intractability ofcomputing special functions.

3. The second party learns no further information about X than may beinferred from knowing Y and F(X,Y). This security condition remains evenafter the isolation of the two processors has terminated.

The technique for implementing general protocols satisfying the abovesecurity conditions is described in the document, Multi-ProverInteractive Proof Systems: Eliminating Intractability Assumptions.

References [BC] Brassard, Gilles and Claude Crepeau. "Zero-KnowledgeSimulation of Boolean Circuits," Proceedings of the 27th FOCS, IEEE,1986, 188-195.

[GM] Goldwasser S., and Micali S., "Probabilistic Encryption", JCSS,vol. 28, no. 2, 1984, pp. 270-299.

[GHY] Galil Z., Haber S., and Yung M., "A Private Interactive Test of aBoolean Predicate and Minimum-Knowledge Public-Key Cryptosystem",Proceedings of the 26th FOCS, 1985, pp. 360-371.

[GMW] Goldreich, Oded, Silvio Micali, and Avi Wigderson. "Proofs thatYield Nothing but the Validity of the Assertion, and a Methodology ofCryptographic Protocol Design," Proceedings of the 27th FOCS, IEEE,1986, 174-187.

[GMR] Goldwasser, Shafi, Silvio Micali, and Charles Rackoff. "TheKnowledge Complexity of Interactive Proof-Systems," Proceedings of the17th STOC, ACM, 1985, 291-304.

[AL] Angluin, Dana and David Lichtenstein. "Provable Security ofCryptosystems: a Survey," YALEU/DCS/TR-288, 1983. Proceeding of the 17thSTOC, 1985, pp. 421-429.

[Ba] Barrington, D. "Bounded Width Polynomial Size Branching ProgramsRecognize Exactly Those Languages in NC¹ ", Proceedings of 18th STOC,1986, pp. 1-5.

[Bl] Blum, M., Private Communication.

[BC] Brassard, Gilles and Claude Crepeau. "Zero-Knowledge Simulation ofBoolean Circuits," Proceedings of the 27th FOCS, IEEE, 1986, 188-195.

[BHZ] Boppana, Ravi, Johan Hastad, and Stathis Zachos. "Does CoNP HaveShort Interactive Proofs?," IPL, 25, 1987, 127-132.

[CDvdG] Chaum, David, Ivan Damgard, and Jeroen van de Graaf. "MultipartyComputations Ensuring Secrecy of Each Party's Input and Correctness ofthe Output," Proceedings of CRYPTO '87. Proceedings of CRYPTO '85,Springer-Verlag, 1986, 477-488.

[CG] Chor, B, Goldreich G, "Unbiased Bits from Sources of WeakRandomness and Probalistic Communication Complexity", Proceedings of the26th FOCS, 1985.

[Ck] Crepeau C., Kilian J., Private Communication.

[CW] Carter L., Wegman M., "Universial Classes of Hash Functions", JCSS18, 1979, pp. 143-154.

[C] Crepeau Claude, "On the Equivalence of Two Types of ObliviousTransfer", Crypto87.

[FST] Feige, U., Shamir, A., Tennenholz, M., "The Noisy Oracle Problem",Private Communication of Manuscript

[F] Fortnow, Lance. "The Complexity of Perfect Zero-Knowledge,"Proceedings of the 19th STOC, ACM, 1987, 204-209.

[FRS] Fortnow, Lance., Rompel J., Sipser M., "On the Power ofMulti-Prover Interactive Proofs" In preparation.

[FMR] Fischer M., Micali S., Rackoff C., and Wittenberg S., "AnOblivious Transfer Protocol Equivalent to Factoring", In Preparation.

[GM] Goldwasser S., and Micali S., "Probabilistic Encryption", JCSS,vol. 28, no. 2, 1984, pp. 270-299.

[GHY] Gali Z., Haber S., and Yung M., "A Private Interactive Test of aBoolean Predicate and Minimum-Knowledge Public-Key Cryptosystem",Proceedings of the 26th FOCS, 1985, pp. 360-371.

[EGL] Even S., Goldreich O., and A. Lempel, A Randomized Protocol forSigning Contracts, CACM, vol. 28, no. 6, 1985, pp. 637-647.

[GMS] Goldreich O.,, Mansour Y.,, and Sipser M.,, "Interactive ProofSystems: Provers that Never Fail and Random Selection", Proceedings ofthe 28th FOCS, 1987, pp. 449-462.

[GMW1] Goldreich, Oded, Sivio Micali, and Avi Wigderson. "Proofs thatYield Nothing but the Validity of the Assertion, and a Methodology ofCryptographic Protocol Design," Proceedings of the 27th FOCS, IEEE,1986, 174-187.

[GMW2] Goldreich, Oded, Silvio Micali, and Avi Wigderson. "How to PlayANY Mental Game," Proceedings of the 19th STOC, ACM, 1987, 218-229.

[GV] Goldreich, O., Vainish, R. "How to Solve any Protocol Problem: AnEfficiency Improvement", Crypto 87.

[GMR] Goldwasser, Shafi, Silvio Micali, and Charles Rackoff. "TheKnowledge Complexity of Interactive Proof-Systems," Proceedings of the17th STOC, ACM, 1985, 291-304.

[HM] Hastad J., Mansour Y., "Private Communication"

[K] Kilian, J. "On the Power of Oblivious Transfer," Proceedings of thisconference

[L] Lautemann C., "BPP and the Plynomial Time Hierarchy", IPL, 14, 1983,pp. 215-217.

[R] Rabin, M., "How to exchange secrets by oblivious transfer", Tech.Memo TR-81, Aiken Computation Laboratory, Harvard University, 1981.

[Yao82] Yao, Andrew C. "Protocols for Secure Computations," Proceedingsof the 23rd FOCSA, IEEE, 1982, 160-164.

[Yao86a] Yao, Andrew C. "How to Generate and Exchange Secrets,"Proceedings of the 27th FOCS, IEEE, 1986, 162-167.

[Yao86b] Yao, Andrew C. "Theory and Applications of Trapdoor Functions",Proc. of the 23rd FOCS, 1982, IEEE, pp. 80-91.

We claim:
 1. A method in a multiparty verification system for processingrespective outputs from a prover and a verifier, the prover comprisingfirst and second prover units which share information, the methodcomprising:limiting communications between the first and second proverunits; in the first prover unit encrypting identification informationbased on confidential verifier information from the verifier andconfidential prover information shared by the first and second proverunits; providing prover information required for decryption from thesecond prover unit to the verifier.
 2. A method as claimed in claim 1wherein the confidential verifier information and the confidentialprover information are chosen at random.
 3. A method in a multipartyverification system for processing respective outputs from a prover anda verifier, the prover comprising first and second prover units whichshare confidential information for generating outputs therefrom,communication between the first and second prover units being limitedwhen the prover and verifier are coupled, the methodcomprising:providing verifier encryption information from the verifierto the prover; causing the first prover unit to commit to a transfer ofinformation to the verifier, the transferred information being encryptedby the first prover unit based on the verifier encryption informationand prover encryption information shared by the first and second proverunits; providing selection information from the verifier to the secondprover unit to select one of plural subsets of the encrypted informationfor decryption; providing prover encryption information, correspondingto the selected subset of the encrypted information, exclusively, fromthe second prover unit to the verifier; and decrypting the selectedsubset of encrypted information.
 4. A method as claimed in claim 3wherein the prover encryption information shared by the first and secondprover units comprises random information.
 5. A method as claimed inclaim 4 wherein the verifier encryption information and the selectioninformation are chosen at random.
 6. A method as claimed in claim 3wherein both the prover and verifier have access to an identificationset of numbers and a target number and the prover alone has acess to theidentity of a solution subset of the identification set, the sum of thenumbers of the solution subset equalling the target number.
 7. A methodas claimed in claim 3 wherein the prover and verifier both have accessto a graph and the prover alone has access to a Hamiltonian cycle withinthe graph.
 8. A method as claimed in claim 3 wherein both the prover andverifier have access to an identification set of information and theprover alone has access to the identity of a solution subset of theidentification set, the solution subset having a predeterminedmathematical relationship with the identification set, the solutionsubset being readily verifiable as a proper solution but not beingreadily determinable from the identification set of information.
 9. Amethod as claimed in claim 8 wherein the first prover unit, in aplurality of cycles with respect to identification sets of informationpermutated by the first prover unit, transfers each permutedidentification set encrypted, and the selection information selectsinformation including the full identification set or the solutionsubset, exclusively.
 10. A method as claimed in claim 3 furthercomprising, in a plurality of cycles, permutating the information by thefirst prover unit which is encrypted and transferred to the verifier.11. An identification method in a multiparty verification system forprocessing respective outputs from a prover and a verifier to identifythe prover, the prover and verifier sharing an identification set ofinformation, the prover comprising first and second prover units whichshare confidential information comprising a solution subset ofinformation having a predetermined mathematical relationship with theidentification set of information, the solution subset being readilyidentifiable as a proper solution but not being readily determinablefrom the identification set of information, communication between thefirst and second prover units being limited when the prover and verifierare coupled, the method comprising, in a plurality of cycles withrespect to identification sets of information permutated by the firstprover unit:providing verifier encryption information from the verifierto the first prover unit; in the first prover unit encrypting, based onthe verifier encryption information and prover encryption informationshared by the first and second prover units, permutated informationderived from the identification set of information, and forwarding theencrypted information to the verifier; providing selection informationfrom the verifier to the second prover unit to select the identificationset of information or the solution subset of the encrypted permutatedinformation for decryption; providing prover encryption informationcorresponding to the selected encrypted information from the secondprover unit to the verifier; and decrypting the selected encryptedinformation.
 12. A method as claimed in claim 11 wherein the proverencryption information shared by the first and second prover unitscomprises random information.
 13. A method as claimed in claim 12wherein the verifier encryption information and the selectioninformation are chosen at random.
 14. A method as claimed in claim 11wherein both the prover and verifier have access to an identificationset of numbers and a target number and the prover alone has access tothe identity of a solution subset of the identification set, the sum ofthe numbers of the solution subset equalling the target number.
 15. Amethod as claimed in claim 14 wherein the permutated informationcomprisesA={v_(i), 1≦i≦n} where v_(i) is chosen at random in ##EQU18##B={w_(i), 1≦i≦n}, the identification set C={s_(i), 1≦i≦n} where s_(i)=v_(i) +w_(i) for all 1≦i≦n D=Σ_(j)εJ v_(j) E=J, the solution subsetF=T+E_(j)εJ v_(j), where T is the target and the selection informationselects (A,B,C), (A,D,E) or (C,E,F).
 16. A method as claimed in claim 11wherein the prover and verifier both have access to a graph and theprover alone has access to a Hamiltonian cycle within the graph.
 17. Adata processing system for implementing a verification sequencecomprising first and second processors in communication with each other,the first processor comprising at least first and second units whichshare confidential information and which are prevented fromcommunicating with each other regarding verification information when incommunication with the second processor during the verificationsequence, the first and second processors cooperating in communicationwith each other to provide an output as a function of the confidentialinformation of the first processor without disclosure of theconfidential information of the first processor such that the secondprocessor is assured of the validity of the output due to its separatecommunication with the first and second units of the first processor.18. A system as claimed in claim 17 wherein the confidential informationof the first processor is information x to which a function F(x) isapplied, F(x) being readily computed but being difficult to invert, thesecond processor has access to F(x) and the first and second processorscommunicate such that the first processor demonstrates to the secondprocessor its possession of x without disclosure of x.
 19. A system asclaimed in claim 17 wherein the first unit of the first processorencrypts and transfers information to the second processor, theencryption being based on confidential information from the secondprocessor and confidential information shared by the first and secondunits of the first processor, and the second unit of the first processortransfers shared confidential information required for decryption to thesecond processor.
 20. A system as claimed in claim 19 wherein the secondunit of the first processor responds to selection information from thesecond processor to transfer to the second processor the informationrequired for decryption of one of plural subsets of the encryptedinformation.